In late 2016, the United States Court of Appeals for the Sixth Circuit held that a group of putative class action plaintiffs whose personal information was hacked had standing to sue, based in large part on the company’s own post-breach mitigation efforts. See Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (Sept. 12, 2016). This case is part of an emerging pattern of court decisions that suggest increased risks associated with data breach responses.
In Galaria, the plaintiffs sued Nationwide – a financial services company that collects financial and other sensitive personal information from its customers – after its network was hacked and more than 1,000,000 customers’ information allegedly stolen. Nationwide notified its customers of the breach, advised of steps to mitigate the misuse of stolen data and offered a year of free credit monitoring and identity fraud protection through an outside vendor.
The trial court dismissed the case on standing grounds. Standing is a legal doctrine that requires a plaintiff bringing suit in federal court to have suffered, among other things, an “injury in fact.” On that score, mere allegations of possible future injury are generally not sufficient. Instead, the threatened harm must be “imminent” or “certainly impending.”
In reversing the trial court, the Sixth Circuit focused on the very steps the defendant company took right after the breach: “There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.” Moreover, “although it might not be ‘literally certain’ that Plaintiffs’ data will be misused, there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable . . . particularly when Nationwide recommended taking these [mitigative] steps.”
In a nutshell, the court construed Nationwide’s own post-breach remedial efforts as an admission of the severity and immediacy of the risk of identity fraud, thus establishing standing for the plaintiffs.
Galaria does not stand alone. It is in line with two recent cases from the Seventh Circuit Court of Appeals. See Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) and Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016). For example, in Remijas the court similarly held that the injuries associated with protecting oneself against future identity theft confer standing. Like Galaria, the Remijas court found it “telling” that “Neiman Marcus offered one year of credit monitoring and identity-theft protection” to its customers. Again, these efforts signaled to the court an acknowledgement by the company that fraudulent charges and/or identity theft were sufficiently imminent.
These recent cases raise serious questions about how a company should respond to a data breach. Many state laws require companies to notify customers affected by a data breach. Companies often use that notification as an opportunity to offer remedial measures, such as free credit monitoring, to their customers, either to reduce risk or as a sign of good will. Indeed, these responses have become standard practice, in part because they were viewed as having no significant downside.
In the wake of Galaria, that may no longer be true, as even basic responsive measures might be construed as recognition of the seriousness of the breach, thus increasing the risk of exposure to a class action lawsuit.
Data breach response remains a fast-moving area. Companies should carefully consider the potential consequences their remedial efforts can have in a potential data breach situation, starting with creating or updating a formal data breach response policy.